Ticketmaster must pay a substantial $10m fine in the US after several employees used unlawfully obtained passwords to hack a rival company’s computer systems – in attempts to “choke” it.
The US ticket sales & distribution giant, which is owned by Live Nation, in 2013 hired an employee who formerly worked for Ticketmaster’s rival company (reported by some outlets to be Songkick, a now-defunct company that offered concert pre-sale tickets), according to the US Department of Justice (DoJ) last week.
Credentials
This co-conspirator illegally retained credentials from the rival firm, which he & other Ticketmaster executives then used to hack into the victim company’s systems. From there, they were able to monitor the company’s draft ticketing web pages, allowing them to find out which artists planned to use the rival company to sell tickets.
They were also able to hack into & snoop on the company’s Artist Toolbox, a password-protected app that provides real-time data about ticket sales.
Illegal
“When employees walk out of one company & into another, it’s illegal for them to take proprietary information with them,” explained FBI Assistant Director-in-Charge Sweeney in a statement.
“Ticketmaster used stolen information to gain an advantage over its competition, & then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist — to protect consumers from being cheated in what should be a fair market-place.”
The Hack
According to court documents, the former senior employee (who as of now remains unnamed) of the victim company worked there between May 2010-July 2012.
In 2012, he signed a ‘separation agreement’ with the victim company upon leaving, in which he agreed to maintain the confidentiality of that company’s sensitive data, before joining Live Nation in Aug. 2013.
In 2013, this former employee shared with former Ticketmaster Head of the Artist Services Division Zeeshan Zaidi the URLs for draft ticketing web pages of the victim company, which were not public.
Choke Off
“In response to a Ticketmaster executive explaining that the goal was to ‘choke off victim company’ & ‘steal back one of the victim company’s signature clients,’ co-conspirator 1 offered that Ticketmaster could ‘cut victim company off at the knees’ if they could win back presale ticketing business for a 2nd major artist that was a client of the victim company,” according to the US DoJ.
Usernames & Passwords
Then, the former employee sent Zaidi & another Ticketmaster executive multiple sets of usernames & passwords for the victim company’s password-protected Artist Toolbox app & encouraged them to “screen-grab the hell out of the system.”
The co-conspirators even went as far as to use the passwords to access the app in a live demo at a Ticketmaster internal summit, in front of at least 14 other Ticketmaster & Live Nation employees, according to the DoJ.
The former employee in 2015 was promoted & given a raise; meanwhile, Ticketmaster employees continued to access the Artist Toolbox app through to Dec. 2015.
Next Steps
In 2015, the victim company filed a civil complaint against Live Nation & Ticketmaster alleging antitrust violations. That lawsuit was amended in 2017 to add allegations that Ticketmaster had accessed the company’s computer systems without authorisation. In 2017, both the former employee & Zaidu were then terminated by Ticketmaster.
Last week’s fine against Ticketmaster answers charges that the company “repeatedly accessed without authorisation the competitor’s computer systems.”
The fine is part of a ‘deferred prosecution agreement’ that Ticketmaster entered with the US Attorney’s Office for the Eastern District of New York to resolve a 5-count criminal complaint filed charging computer intrusion & fraud offenses.
Guilty
As part of the charges, on Oct. 18, 2019, Zaidi pleaded guilty in a related case to ‘conspiring to commit computer intrusions & wire fraud’ based on his participation in this scheme.
This is also not the 1st time Ticketmaster has found itself with a large fine for cyber-security-related issues. In Nov., Ticketmaster’s UK division was given a $1.65m fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4m customers.
Insider Threats
The incident highlights the employee insider threats facing many companies – an issue that is particularly worrying today as many may feel ‘stressed or disillusioned’ by their workplace during today’s shaky, COVID-19-disrupted economy.
One specific concern for companies emphasised by this particular case is illegal employee data retention after leaving a firm. E.g., last year a former Cisco employee was sentenced to 2 years in prison after he hacked into Cisco’s Webex collaboration platform – after leaving the firm.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/